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INTRODUCTION TO THE mVBNTION 

In recem years, the amount of content protection systems is growing in a rapid 
pace. Some of these systems only protect tl.e content against iflegal copying, while othera are 
also prohibiting the user to get access to the content The first category is called Copy 
ft«tection(CP) systems. CP syslamshavetraditio^ 

dectronios (CE) device^ as IMs type of content protection Is thought to he cheaply 
implemented and doesnotaeedW^tional interaction with the content provider. Some 
examples ate the Contem Smambling System (CS S). the protection system of DVD ROM 
discs and DTCP. the protection system for IEEE 1394 connections. 

The second eategmy is known under several names. In the broadcast world, 
systems of this category aie genetaUy known as conditional access (Ca) systems, while in 
the .toemet world ftey are generally taownas Digital Righto 

Some type of CP systems can also provide services to hiiaif^ CA orDRM 
systems. Examples are the systems currently under development by the DVB-CPT subgroup 
ami the TV-Anytime RMP group. The goal Is a systemin vAich a set of devices can - 
authenticate each other through a W-diieotionalcomiection. Based on this auihenticatioa, the 
devices will trust each other and this will enable/allow diem to exchange protected comem. 

The accompanying licenses describe ^^chrights the user has and what operatioms he is 
aUowcd to perform on the content The license is protected by means of some geneml 
network secret, which is only exchanged between the devices withm a certam household. 
Tliis network of devices Is called Authorized Domain (AD). 

In some of the current proposals for anthorized domains, the number of 
devices is the main Umitation of the size of the autiiorized domain. The proposals (like the 
SmarfRight system developed by TTmrnson Multimedia) have a fixed maximum of the 
number of devices that might be part of the authorized domain. The main reason for limiting 
the size of the domam is to prevent dmnains fiom spreading unbounded over the Internet, 
where people open their authorized domain for complete strangers at the other end of the 

worid. By lunitiag the size offl»authorizeddomam, people have the mcentive to aUowo^^ 
then- own detvices to be part of the domahL 
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Tius fixed maxiniain on the number of devices in the authorized domain has 
nmnber of disadvaniaees. One disadvantage is ihe £)et tbat when a device breaijs down 
gets stolen, it is difficult to recover Uie rights assodated with this device m the authorized 
domain. beauiaefheadmissiDnofdevicestoihedoniainnuyaot be centrafly oonirolled and 
it is also not archived ^ch particular devices «e pazt of the domain at any time. 

A fijiflier disadvantage of the fixed maxinnnn is the fiwt that it is very difficult 
to detemiine beforehand what a reasonable value of the maxittnim is. Sj^edally when in the 
fiiture more networiced devices a« hooked iq) to the home netwoik; 
reasonable today may be fir too tow in the fhtme. Hbvwver. it is veiy complex to Implement 
such a fixed maximum hi a way that aUows easy \9g1adlng of the maximum in ^ foture. 



SUMMARY OP THE INVENTION 

It is an object of die present mvention to provide a system in which fihe size of 
a particular domain can be restricted, whilst overcoming the disadvantages associated with a 
15 fixed m a ximum on the number of the devices in the particular domain. 

This oTgect is achieved according to the ptesent invention in a system in which 
the number of simultaneousty active sessions Is used as a measure or indication of the 
domain siae. This number could be, for example, thenumber of content items accessed at the 
same timet, or tiie number of activated tendering devices. 
^° In one embodiment, devices need to register fefimgelveft at tfia imthwi^a^ 

domain in the noimd way, but tiie total number ofdevices that can regi^ 
top of this xegistxation, a device needs to open a session to a security module, sudi as a 
smartcard. The total limitation of the network size is m this embodiment accomplished by 
limiting the number of security modules in cooperation with limiting the number of sessions 

!5 that a security module supports. As wiU become appagentbetow, many alternative 
embodunents. are possible wititin the scope of the mvendon. 

One could fiir example use as security module a.smart card tiiat supports only 
one session (i.e. with tiie device that holds Ihe smart card) and tiie total number of smart 
cards permitted to be used in the domain at one time is limited to a certain maximum, 
0 Ij^qjortaat in tiiis implementation is to prevent "session-hopping". 'Session- 

hopping' is a possible mechaoisan to share sessions ovw the Intemet. People who have spare 
(unused) sessions in flieir own domain, might want to share those sessions over tiie Internet, 
tiiereby escapmg flwn tiie basic requirement set on authorized domains, i.e. limiting the 
distribution of content over tiie liitetoet. This issue can be addressed by installing 
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mechadsms as allowing a device to be registered at only one authorized domain and 
astalliflgtimedelaysfhatlimitchang^ ^ 
coxdd be leirfacedi^thor combined vvithiequiri^ 
possibty a idiyaal action on one of flie domain devices. 

BRIEF DESCRIPTION OP IHE HQURJBS 

Iliese and otiier aspects of the imrenrion Win be igjpaient from a^ 
vwtbxeference to tbe lUustrativB embodiments shown in &e dmwings. in which: 

Kg. I sohematicaUy shows a system cemidsing devices interconna^ 

10 netWQi]^ 

Fig. 2 schematicaUy shows tbe schematic division of the system 100 of Fig. 1 
into a CA domain and a CP domain] and 

Kg. 3 schematicaUy shows a preferred embodiment of a security module, in . 
the fonn of a smart card, for use in Ute system of Fig. I . 
15 ThioB^out the figures, same relbenee numerals indicate similar or 

corresponding features. Some of the features indicated in the drawings are lypicaUy 

implementedin software, and as suchrepresent software entitle^^ 
or objects. 

20 SYSTEM ARCHITECTURE - - - 

Fig. 1 schematicaUy diows a system 100 comiaising devices 101-105 
intercomiectedviaanatwoikllO. In this embodiment, the system 100 is an in.h«^^ 
network. Atypical digital home networicindudes anmnber of devices. e.g. a radio receiver, a 
i«nei/decoder, aCD player, apafrof qieaka?. atetevision, a VCR, a t^e deck, ami so on, 
Tliese devices are usually intercomiected to aDow one device, e.g. the television, to control 
another. e.g. the VCR. One device, such as e.g. thetnner/decoder or asettop box (STBX is 
usuaUy the central device, providing central control over the oflieis. 

Content, which typicaUy comprises things like music, songs, movies. TV 
programs, pictures, books and the likes, but which also includes imsraetive services, is 
received through a residential gateway or set top box 101. The source could be a comiection 
to a broadband cable netwoifc, an Internet connection, a sateUlte downlink and 9o on. Hie 
content can then be transferred over the network II 0 to a sink for rend^g. A sink can be, 
for instance, the television display 102. the portable display device 103, the mobile phone 
104 and/or the audio pl^ck device 105. 
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Thfi«ataa wyittvaudiacoiitratitemisiaideredd^^ on the type of 
device and the typa of oortf«aLForinstance.maradioiecdver.^ 
genemting andio signals end feeding fliem to loudspeakeis. For a television receiver, 
rendering generally conpiiseii generating andio and video signalp and feeding those to a 
5 «»i^i«y8««»andloudipeater8.Forothertypesofco^ 

be taken. Rendering may also include opoadons such as decrypting or descmmbling a 
wceived signal, qaushtt«niaang audio and video signals 

The set top box 101, or aiiy other device in the system 100, may comprise a 
storage medium SI such as a suitably large haid disk. aDowing the lecordiiiga^ 
10 playback of received content. Tbs storage medium SI could be a Personal Digital Recorder 

(PDR) of some kind, forexampbaDVD+RWrecotder,towhicbflie set top box 101 is 
connected. Content can also be enter the system 100 stared on a carrier 120 such as a 
Compact Disc (CD) or Digital Vessatile Disc (DVD). 

The portable display device 103 and the mobUe phone 104 are connected 
wirelesdy to the network 1 1 0 using a base station 11 1 . for example using Bluetooth or IBEB 

802.11b. Theotberdcvicesateconnectedusingaconventionalwiredconnection. To 
aUowthe devices 101-105 to interact, several interoperability standards are avaflable, which 

aflowdiflferantdeviceslDexchangemessagesand information and to control each One 
v«U-known standard is the Home AMdioATideoInlsroperabili^ 1.0 
bfwMch was pi&Iished in January 2000, and vrtuch is available 
ht*:/Awvw.havi.oig/. Other welHmovwi standards are the domestic digital bus (D2B) 
standard, a oonmumlcations protocol described In mc 1030 and Universal Plug and Play 
0i%-yAmw.uprqp.oi8). 

It is oftenimportaattoensorethatthe devices 101-105 to the home netwrork 
do not make unauthorized copies of the content To do this, a security fiamework, typically 
referred to as a Digital Rights Management (DRM) system is necessary. 

In one such ftamework, the home network is divided conceptuaUy in a 
conditional access (OA) domain and a copy protection (CP) domahr. TypicaUy, the sink is 
located in the CP domain. This ensures that when content is provided to the sink, no 
unauthorized copies of the content can be made because of the copy protection scheme in 
place hi the CP domain. Devices in the CP domain may comprise a storage medium to make 
temporary copies, but such copies may not be exported fiom the CP domain. This framework 
is described in European patent application 01204668.6 (attoniey docket PHNL010880) by 
the same ^pUcant as the present application. 
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that Impleznent the seemfttr j j . '«'»»cesmtne in-home netwoifc 

content securely. Access to tl.««,«^- "-""liwiw eaca omer and distnbute 

•«o«M 01 a» copy imteifcm sdieiM in piare to flK CP don^ 
««ii«to«amat«woittdiaii»op<IoiMi^«isooii. "wmo. 

SECURITY MODULES 

«»dar«dr^ u lOOinencrypted to. Before it can be 

-u>d«lesiK,;adtWorebev«dIproteotedag«instt^^ "le. lUe secunty 
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Of cooise there are many ways to implement security modules. A common 
secure soludon is to embiu^ the security modulo in ibe fbm of a smart card. The security 
module could also be provided as an integrated component of one of the devices 101-105, or 
as a sq)arate device. The security module can be embodied in hardware, software or a 
5 combinatian fhereoC. 

The smart caid 300 conqiclses a condidonal access module 310 and a secure 
storage module 311. Smart cards are much more difficult to campromlse than ordinary 
computers or software and so offer a better way of pratecting the conditional aspects of a 
conditional access service. One or more of the devices 101-105 is then equipped with a smart 
card reader, m which the us» can insot the smart card 300. 

The control word necessary to decrypt^ contait can be stored m the secure 
storage module 301 on the smart card 300. Tim way, it is very difScult for the user to obtain 
the control word, and so it is very difBoult for him to access the content without paying for it. 
Hie smart card 300 may comprise a decryption module 312, which decrypts an instance of 
15 the content using the control word and suppUes the decrypted instance to a rendering device 
such as television 102. 

Alternatively, fte smart carl 300 can supply the control word to another 
device wWcih tiiea deoiyirts the instance. In this case, there is the risk that 
has been taa«>eied with in sudi a w^ that it wiU not sunply decrypt the content, but in^^ 
store the control wcW or stow th^ uiiettaypted content vwithoiit authorization to do &>. In 
order to prevent sudiamodified device fiom accessing &e control word, the smart card 300 

may eo^oy an authentication mechanism in order to verily whethertfae device has been 
taniperedwith. 

Iliis auftentioalion mecham'sm is for bstanca realized by having the snurt 
card issue an encrypted 'chaUenge* to the device, wMcib the device must decrypt and send 
back to the smart card 300. If the device cannot correctly decrypt the challenge, it is not a 
compliant device and may act get access to the control word. Alternatively, the smart card 
300 can check the integrity of some part of the program code to be executed by the device, 
for example by verifying a digital signature. 

The control word may be provided in an Entitlement Control Message (ECM) 
&8t is sent to the system 1 00 by the service provider providing the eacaypted service. It could 
also be stored permanently in the smart card 300. This ECM is then provided to the smart 
cat4 300 and thereby to the conditional access module 3 1 0, which obtains the control word 
fiom the ECM. The conlxol word will often be present m an encrypted fbrm in the ECM, and 
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so li« cQoditioiai access module 3 1 0 iiiU need 10 decrypt the 
decrj^tionkey necessary to decijpttiie conliol ^ can th^ 

module 511. ^ 

In accordance the ptwent invwjlion. the smart card 300 is also 
wrthasessionmaaagementmoduleSU. Tlietem'Wn" refers lothehand^ 
specific instance of a content item, in particular decocting the instance and supplytagthe 
decrypted instance to the rendering device. Handling may be restricted to a portion of the 
instance (eg. the audio chamois or the video jrt«am of a movie), or cover the instance as a 
whole (audio, video. Teletext information, and so on). Another definition of a "session- 
could be the number of active devices, or the number of active "display" devices (e.g TV 
monitor.audioamplifier,...).Thesmartcard300isftcentraIe«tiiyiathispiooess. 

It msgr be that two rendering devices are simultaneously rendering the same 
televisioaprogian*, ortfaat oms rendering device is playing bade a piece of music andu 
storage device is making a copy of the same piece of music at the same time. Ih both cases 
the system 1 00 is handling two sunuhaneous sessions, even if both devices are operating on 
the same stream of data. 
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SESSION RESTRICTION 

The session management module 3 1 3 is operable to restrict the number of 
simultaueoussessionsthatthesmartcard300ispeimiltedtohandle.l^^ . 

the system 100 can connect « unlimited nmi*er of devices to the system 100, but he 
be able to view or listen to many instances of content at the same time. If the entire system 
1 00 is located withm one household, this is. not a problem, assuming a reasonable vpp^ limit 
on the number of simultaneous sessions is chosen. 

If the devices in the system 100 are distributed over various houses ia a 
particular district, the same upper Imut seriously restricts the use of the devices. For exanple, 
if the uppa: limit is set to twelve simultaneous sessions. aU members of an average household' 
^^roVfVnsszfl i \^k.ht>]i': 1 3- *»vorite television programs, listen to the radio and at the 
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